Information Disclosure
What is information disclosure?
Information disclosure, also known as data leakage or information leakage, refers to the unintentional or unauthorized exposure of sensitive or confidential information to individuals or entities that should not have access to it.
This can include personal data, technical information, intellectual property, or any other data that is considered private or critical to an organization.
Check out this video for a high-level explanation:
What is the impact of information disclosure?
Information disclosure can allow attackers to obtain important technical information about a system via:
- Stack traces: Stack traces may contain sensitive information, such as file paths, server details, or function names, which can provide attackers with additional data for exploitation or social engineering.
- Version headers: By identifying the specific versions of software, attackers can better understand the overall technology stack, which can aid in the development of customized attacks.
- Source Code: Source code may contain sensitive information, such as hard-coded credentials, API keys, or configuration details, which can be used by attackers to gain unauthorized access to systems, data, or services.
How to prevent information disclosure?
To prevent information disclosure, it is important to follow security best practices and implement appropriate security measures, such as:
- Disable Error Messages: Disable detailed error messages in production environments, only displaying generic error messages to users.
- Remove Version Information: Remove or obscure version information from HTTP headers, error messages, and other application outputs.
References
Taxonomies
- OWASP Top 10 - A01 Broken Access control
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor